diff --git a/.distignore b/.distignore index 47a7700..7b224e8 100644 --- a/.distignore +++ b/.distignore @@ -10,6 +10,8 @@ # Files to ignore /.distignore /.editorconfig +/.eslintignore +/.eslintrc.js /.gitattributes /.gitignore /.phpcs.xml.dist diff --git a/CHANGELOG.md b/CHANGELOG.md index 5e003a3..7d7e766 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file, per [the Ke ## [Unreleased] - TBD +## [2.5.1] - 2023-05-16 +### Security +- Ensure we check user permissions properly in our REST endpoint (props [@mikhail-net](https://github.com/mikhail-net), [@dkotter](https://github.com/dkotter), [@peterwilsoncc](https://github.com/peterwilsoncc)). + ## [2.5.0] - 2023-04-18 **Note that this release bumps the minimum required versions of PHP from 5.6 to 7.4 and WordPress from 3.8 to 5.7.** @@ -248,6 +252,7 @@ All notable changes to this project will be documented in this file, per [the Ke - Updated version requirements. [Unreleased]: https://github.com/10up/simple-page-ordering/compare/trunk...develop +[2.5.1]: https://github.com/10up/simple-page-ordering/compare/2.5.0...2.5.1 [2.5.0]: https://github.com/10up/simple-page-ordering/compare/2.4.4...2.5.0 [2.4.4]: https://github.com/10up/simple-page-ordering/compare/2.4.3...2.4.4 [2.4.3]: https://github.com/10up/simple-page-ordering/compare/2.4.2...2.4.3 diff --git a/CREDITS.md b/CREDITS.md index 12ee3bc..c23b388 100644 --- a/CREDITS.md +++ b/CREDITS.md @@ -10,7 +10,7 @@ The following individuals are responsible for curating the list of issues, respo Thank you to all the people who have already contributed to this repository via bug reports, code, design, ideas, project management, translation, testing, etc. -[10up (@10up)](https://github.com/10up), [Jake Goldman (@jakemgold)](https://github.com/jakemgold), [Ryan Welcher (@ryanwelcher)](https://github.com/ryanwelcher), [Helen Hou-Sandí (@helen)](https://github.com/helen), [Oomph, Inc. (@oomphinc)](https://github.com/oomphinc), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Oscar Sanchez S. (@oscarssanchez)](https://github.com/oscarssanchez), [Ashar Irfan (@asharirfan)](https://github.com/asharirfan), [William Patton (@pattonwebz)](https://github.com/pattonwebz), [Ben Huson (@benhuson)](https://github.com/benhuson), [Jake Jackson (@jakejackson1)](https://github.com/jakejackson1), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Tung Du (@dinhtungdu)](https://github.com/dinhtungdu), [@dtbaker](https://github.com/dtbaker), [Adam Silverstein (@adamsilverstein)](https://github.com/adamsilverstein), [Marco Pereirinha (@pereirinha)](https://github.com/pereirinha), [Brent van Rensburg (@brentvr)](https://github.com/brentvr), [Caspar Hübinger (@glueckpress)](https://github.com/glueckpress), [Thomas Griffin (@thomasgriffin)](https://github.com/thomasgriffin), [Simon Waters (@SimonWaters)](https://github.com/SimonWaters), [Dion Hulse (@dd32)](https://github.com/dd32), [Tim Moore (@tmoorewp)](https://github.com/tmoorewp), [Jeffrey Carandang (@phpbits)](https://github.com/phpbits), [Michele Cipriani (@ciprianimike)](https://github.com/ciprianimike), [Sudip Dadhaniya (@sudip-10up)](https://github.com/sudip-10up), [Faisal Alvi (@faisal-alvi)](https://github.com/faisal-alvi), [Max Lyuchin (@cadic)](https://github.com/cadic), [Leho Kraav (@lkraav)](https://github.com/lkraav), [Dharmesh Patel (@iamdharmesh)](https://github.com/iamdharmesh), [Ankit Gupta (@ankitguptaindia)](https://github.com/ankitguptaindia), [Siddharth Thevaril (@Sidsector9)](https://profiles.wordpress.org/Sidsector9/), [(@dzulfriday)](https://profiles.wordpress.org/dzulfriday/), [Erik Betshammar (@kebbet)](https://github.com/kebbet), [Viktor Szépe (@szepeviktor)](https://github.com/szepeviktor), [Peter Wilson (@peterwilsoncc)](https://github.com/peterwilsoncc), [Vikram Moparthy (@vikrampm1)](https://github.com/vikrampm1), [Dhanendran Rajagopal (@dhanendran)](https://github.com/dhanendran), [Jayedul Kabir (@jayedul)](https://github.com/jayedul), [William Patton (@pattonwebz)](https://github.com/pattonwebz), [Dan Ruscoe (@ruscoe)](https://github.com/ruscoe), [Ravinder Kumar (@ravinderk)](https://github.com/ravinderk), [Konstantinos Galanakis (@kmgalanakis)](https://github.com/kmgalanakis), [Dependabot (@dependabot)](https://github.com/apps/dependabot). +[10up (@10up)](https://github.com/10up), [Jake Goldman (@jakemgold)](https://github.com/jakemgold), [Ryan Welcher (@ryanwelcher)](https://github.com/ryanwelcher), [Helen Hou-Sandí (@helen)](https://github.com/helen), [Oomph, Inc. (@oomphinc)](https://github.com/oomphinc), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Oscar Sanchez S. (@oscarssanchez)](https://github.com/oscarssanchez), [Ashar Irfan (@asharirfan)](https://github.com/asharirfan), [William Patton (@pattonwebz)](https://github.com/pattonwebz), [Ben Huson (@benhuson)](https://github.com/benhuson), [Jake Jackson (@jakejackson1)](https://github.com/jakejackson1), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Tung Du (@dinhtungdu)](https://github.com/dinhtungdu), [@dtbaker](https://github.com/dtbaker), [Adam Silverstein (@adamsilverstein)](https://github.com/adamsilverstein), [Marco Pereirinha (@pereirinha)](https://github.com/pereirinha), [Brent van Rensburg (@brentvr)](https://github.com/brentvr), [Caspar Hübinger (@glueckpress)](https://github.com/glueckpress), [Thomas Griffin (@thomasgriffin)](https://github.com/thomasgriffin), [Simon Waters (@SimonWaters)](https://github.com/SimonWaters), [Dion Hulse (@dd32)](https://github.com/dd32), [Tim Moore (@tmoorewp)](https://github.com/tmoorewp), [Jeffrey Carandang (@phpbits)](https://github.com/phpbits), [Michele Cipriani (@ciprianimike)](https://github.com/ciprianimike), [Sudip Dadhaniya (@sudip-10up)](https://github.com/sudip-10up), [Faisal Alvi (@faisal-alvi)](https://github.com/faisal-alvi), [Max Lyuchin (@cadic)](https://github.com/cadic), [Leho Kraav (@lkraav)](https://github.com/lkraav), [Dharmesh Patel (@iamdharmesh)](https://github.com/iamdharmesh), [Ankit Gupta (@ankitguptaindia)](https://github.com/ankitguptaindia), [Siddharth Thevaril (@Sidsector9)](https://profiles.wordpress.org/Sidsector9/), [(@dzulfriday)](https://profiles.wordpress.org/dzulfriday/), [Erik Betshammar (@kebbet)](https://github.com/kebbet), [Viktor Szépe (@szepeviktor)](https://github.com/szepeviktor), [Peter Wilson (@peterwilsoncc)](https://github.com/peterwilsoncc), [Vikram Moparthy (@vikrampm1)](https://github.com/vikrampm1), [Dhanendran Rajagopal (@dhanendran)](https://github.com/dhanendran), [Jayedul Kabir (@jayedul)](https://github.com/jayedul), [William Patton (@pattonwebz)](https://github.com/pattonwebz), [Dan Ruscoe (@ruscoe)](https://github.com/ruscoe), [Ravinder Kumar (@ravinderk)](https://github.com/ravinderk), [Konstantinos Galanakis (@kmgalanakis)](https://github.com/kmgalanakis), [Dependabot (@dependabot)](https://github.com/apps/dependabot), [Mika (@mikhail-net)](https://github.com/mikhail-net). ## Libraries diff --git a/package-lock.json b/package-lock.json index 5d9f504..de5ada0 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "simple-page-ordering", - "version": "2.5.0", + "version": "2.5.1", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "simple-page-ordering", - "version": "2.5.0", + "version": "2.5.1", "license": "GPLv2 ( or later )", "devDependencies": { "@10up/babel-preset-default": "^2.0.4", diff --git a/package.json b/package.json index f4b4092..d610dba 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "simple-page-ordering", "description": "Order your pages and other hierarchical post types with simple drag and drop right from the standard page list.", - "version": "2.5.0", + "version": "2.5.1", "author": "10up ", "license": "GPLv2 ( or later )", "devDependencies": { diff --git a/readme.txt b/readme.txt index 37e1edc..c2fcfc6 100644 --- a/readme.txt +++ b/readme.txt @@ -5,7 +5,7 @@ Tags: order, re-order, ordering, pages, page, manage, menu_order, h Requires at least: 5.7 Requires PHP: 7.4 Tested up to: 6.2 -Stable tag: 2.5.0 +Stable tag: 2.5.1 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html @@ -110,6 +110,9 @@ Yes. The plugin registers the REST endpoint `simple-page-ordering/v1/page_orderi == Changelog == += 2.5.1 - 2023-05-16 = +* **Security:** Ensure we check user permissions properly in our REST endpoint (props [@mikhail-net](https://github.com/mikhail-net), [@dkotter](https://github.com/dkotter), [@peterwilsoncc](https://github.com/peterwilsoncc)). + = 2.5.0 - 2023-04-18 = **Note that this release bumps the minimum required versions of PHP from 5.6 to 7.4 and WordPress from 3.8 to 5.7.** @@ -269,7 +272,7 @@ Yes. The plugin registers the REST endpoint `simple-page-ordering/v1/page_orderi * **Changed:** Simplified code - consolidated hooks. * **Changed:** Updated version requirements. -== Upgrade Notice == +== Upgrade Notice == = 2.5.0 = This release bumps the minimum required versions of PHP from 5.6 to 7.4 and WordPress from 3.8 to 5.7. diff --git a/simple-page-ordering.php b/simple-page-ordering.php index df09f9e..053e4ad 100644 --- a/simple-page-ordering.php +++ b/simple-page-ordering.php @@ -3,7 +3,7 @@ * Plugin Name: Simple Page Ordering * Plugin URI: http://10up.com/plugins/simple-page-ordering-wordpress/ * Description: Order your pages and hierarchical post types using drag and drop on the built in page list. For further instructions, open the "Help" tab on the Pages screen. - * Version: 2.5.0 + * Version: 2.5.1 * Requires at least: 5.7 * Requires PHP: 7.4 * Author: 10up @@ -16,7 +16,7 @@ */ // Useful global constants. -define( 'SIMPLE_PAGE_ORDERING_VERSION', '2.5.0' ); +define( 'SIMPLE_PAGE_ORDERING_VERSION', '2.5.1' ); if ( ! class_exists( 'Simple_Page_Ordering' ) ) : @@ -270,7 +270,7 @@ public static function page_ordering( $post_id, $previd, $nextid, $start, $exclu // real post? $post = empty( $post_id ) ? false : get_post( (int) $post_id ); if ( ! $post ) { - return new WP_Error( __( 'Missing mandatory parameters.', 'simple-page-ordering' ) ); + return new WP_Error( 'invalid', __( 'Missing mandatory parameters.', 'simple-page-ordering' ) ); } // Badly written plug-in hooks for save post can break things. @@ -496,40 +496,80 @@ public static function rest_api_init() { [ 'methods' => 'POST', 'callback' => array( __CLASS__, 'rest_page_ordering' ), - 'permission_callback' => '__return_true', + 'permission_callback' => array( __CLASS__, 'rest_page_ordering_permissions_check' ), 'args' => [ 'id' => [ - 'description' => __( 'Post ID.', 'simple-page-ordering' ), + 'description' => __( 'ID of item we want to sort', 'simple-page-ordering' ), 'required' => true, - 'type' => 'numeric', + 'type' => 'integer', + 'minimum' => 1, ], 'previd' => [ - 'description' => __( 'Previous post ID', 'simple-page-ordering' ), + 'description' => __( 'ID of item we want to be previous to after sorting', 'simple-page-ordering' ), 'required' => true, - 'type' => 'numeric', + 'type' => [ 'boolean', 'integer' ], ], 'nextid' => [ - 'description' => __( 'Next post ID', 'simple-page-ordering' ), + 'description' => __( 'ID of item we want to be next to after sorting', 'simple-page-ordering' ), 'required' => true, - 'type' => 'numeric', + 'type' => [ 'boolean', 'integer' ], ], 'start' => [ 'default' => 1, - 'description' => __( 'Start index', 'simple-page-ordering' ), + 'description' => __( 'Index we start with when sorting', 'simple-page-ordering' ), 'required' => false, - 'type' => 'numeric', + 'type' => 'integer', ], 'exclude' => [ 'default' => [], - 'description' => __( 'Array of excluded post IDs', 'simple-page-ordering' ), + 'description' => __( 'Array of IDs we want to exclude', 'simple-page-ordering' ), 'required' => false, 'type' => 'array', + 'items' => [ + 'type' => 'integer', + ], ], ], ] ); } + /** + * Check if a given request has access to reorder content. + * + * This check ensures the current user making the request has + * proper permissions to edit the item, that the post type + * is allowed in REST requests and the post type is sortable. + * + * @since 2.5.1 + * + * @param WP_REST_Request $request Full data about the request. + * @return bool|WP_Error + */ + public static function rest_page_ordering_permissions_check( WP_REST_Request $request ) { + $post_id = $request->get_param( 'id' ); + + // Ensure we have a logged in user that can edit the item. + if ( ! current_user_can( 'edit_post', $post_id ) ) { + return false; + } + + $post_type = get_post_type( $post_id ); + $post_type_obj = get_post_type_object( $post_type ); + + // Ensure the post type is allowed in REST endpoints. + if ( ! $post_type || empty( $post_type_obj ) || empty( $post_type_obj->show_in_rest ) ) { + return false; + } + + // Ensure this post type is sortable. + if ( ! self::is_post_type_sortable( $post_type ) ) { + return new WP_Error( 'not_enabled', esc_html__( 'This post type is not sortable.', 'simple-page-ordering' ) ); + } + + return true; + } + /** * Handle REST page sorting * @@ -544,7 +584,7 @@ public static function rest_page_ordering( WP_REST_Request $request ) { // Check and make sure we have what we need. if ( false === $post_id || ( false === $previd && false === $nextid ) ) { - return new WP_Error( __( 'Missing mandatory parameters.', 'simple-page-ordering' ) ); + return new WP_Error( 'invalid', __( 'Missing mandatory parameters.', 'simple-page-ordering' ) ); } $page_ordering = self::page_ordering( $post_id, $previd, $nextid, $start, $excluded );